A 𧡠on the recent precautionary pause of the Rainbow Bridge.
TL:DR: it was a bug in the NEAR Core, no funds lost; the vulnerability was never exploited on the Rainbow Bridge; operations of the bridge are fully restored.
@auroraisnear@NEARProtocol@PagodaPlatform
On the 10th of February a vulnerability was discovered in the NEAR Core.
The vulnerability concerns the validation of the block outcome root. A chunk producer (validator) of NEAR blockchain can maliciously construct the incorrect block, which then will be validated by others as if it's the correct one.
This vulnerability presents particular risks for the Rainbow Bridge due to its trustless architecture. In order to finalise a transfer from NEAR, the Ethereum side of the bridge needs to validate the inclusion of the starting transaction on NEAR.
So, if the consensus is broken, incorrect information may be committed, resulting in the draining of the funds from the bridge and potentially affect other bridge connectors.
After a short review of the submission (even before the full validation of the vulnerability), the NEAR Protocol team notified Aurora Labs about the issue.
The decision to stop the bridge and contracts that are holding users' tokens was taken immediately. The Rainbow Bridge security council was incapable of analysing the validity of the issue, but even from its description it was clear that it may be severe.
These transactions shut down the execution of any methods for three connectors that are storing tokens (ERC-20, ETH and eNEAR) as well as the proover contract.
As a result, both tokens and data transfers on the Rainbow Bridge were paused.
After the Rainbow Bridge was stopped, the information was propagated throughout all Aurora channels, including Aurora status page and Rainbow Bridge web-app.
twitter.com/AlexAuroraDev/status/1624190477103669249
Shortly after, the NEAR Protocol team confirmed the validity of the issue and the development of the patch to the NEAR Core started.
On the 11th of February the patch was developed and reviewed and the NEAR Core team started to contact validators to apply the patch. Aurora Labs's validator was updated in the shortest possible timeframe.
Throughout the weekend, validators worked on updating their instances and by the end of 12th February (Europe time) the required 67% stake was reached. Right now the vulnerability can no longer be exploited.
While the NEAR Protocol team was developing the patch and communicating with validators, Aurora Labs's Bridge team analysed the full 2y history of the Rainbow bridge to find out, whether the vulnerability was ever exploited.
The result of the analysis was negative: incorrect transfers were not performed, ever!
It is still possible to leverage this vulnerability, e.g. in the case staking distribution would change in favour of the validators that have not upgraded, so it's important to update the NEAR nodes. However, the chances of this event are negligible.
Overall, this vulnerability was treated in a very professional manner with quick reactions, transparent communication and advanced research. That's how things should be done in blockchain.
I'd like to thank the Security, Bridge and Infrastructure teams in Aurora Labs, as well as the Security and Protocol teams in Pagoda for great and efficient cooperation and care for the users of both NEAR and Aurora.